Overview#
Some not as well known Examples for using the Ndstrace command. (Almost a Cheat Sheet)Table of Contents
- Overview
- Basics
- Load ndstrace in the UI/Curses mode.
- Using ndstrace in the Command-line mode
- Using with EDirectory Multiple Instance
- Unload IDM (Vrdim)
- Show NDS Threads information
- View Server NDS Connection State
- Good one-liner
- 8.7.3.x
- Different with 8.8.X
- To see LDAP IP Connections try:
- To Show NDS Modules loaded
- Operations when command line
- LDAP Trace Only
- ndstrace
- Enable skulker messages
- NMAS Trace
- Force Immediate Synchronization
- ndstrace.log
- Turn File logging On
- Set the log file size:
- Reset Log file:
- Checking NDS Obituaries
- Add more Examples
- Category
- More Information
Basics#
- "exit" will get you out of the screen.
Load ndstrace in the UI/Curses mode.#
ndstrace
Using ndstrace in the Command-line mode#
Load ndstrace in the command line mode, directing output to a file in the background. You can execute the command, tail -f file, from any terminal, to view the messages.ndstrace -l > /tmp/ndstrace.log & or ndstrace -l >> /dev/null &
To Exit command-line process use
ndstrace -u
Using with EDirectory Multiple Instance#
When using Multiple Instances, use the --config-file parameter.ndstrace -c connections --config-file /data/nds/int/nds.conf
Unload IDM (Vrdim)#
NOT Recommended to perform this without Novell Support Involved!
To completely unload and load DirXML (Linux and Solaris): We recently verified this still works in 3.6.1
ndstrace -c "unload vrdim" ndstrace -c "load vrdim"
Of it running EDirectory Multiple Instance or a custom setup:
ndstrace -c "load vridm' --config-file /data/nds/idv/nds.conf
Show NDS Threads information#
Here are a few more useful ndstrace commands (Linux and Solaris):# ndstrace -c threads Thread Pool Information Summary : Spawned 24, Died 0 Pool Workers : Idle 8, Total 24, Peak 24 Ready Work : Current 1, Peak 5, maxWait 112425 us Sched delay : Min 3314 us, Max 1022572 us, Avg: 727965 us Waiting Work : Current 14, Peak 17
View Server NDS Connection State#
To Find The Number of Connections to ServerGood one-liner#
Provides the IP Address and UserId for each connection.
ndstrace -c connections --config-file /data/nds/item/nds.conf|grep -E 'uniqueID|CN'|awk -F '[:=]' '{print $2 " "$4}'|sort|uniq -u
10.92.231.2 jwilleke
...
We then took the output of that file and used a bash script to obtain the Domain Name System:
#!/bin/bash
IPLIST="/home/jwilleke/tt.txt"
ndstrace -c connections --config-file /data/nds/unix/nds.conf|grep -E 'uniqueID|CN'|awk -F '[:=]' '{print $2 " "$4}'|sort|uniq -u > $IPLIST
while IFS='' read -r line || [[ -n "$line" ]]; do
# echo "Text read from file: $line"
ipx=`echo $line|cut -d' ' -f1`
uidName=`echo $line|cut -d' ' -f2`
#echo "$ipx"
domain=$(dig -x $ipx +short | head -1)
echo -e "$domain,$ipx,$uidName" >>t.txt
done < "$IPLIST"
8.7.3.x#
# ndstrace -c connections
Connection Table Information:
Allocated Connections: 64
1 VALID|AUTHEN tcp:10.129.110.80:39083 .UNKNOWN.svr.[Directory-Info.com].net
2 VALID tcp:10.129.110.80:39087
3 VALID|AUTHEN tcp:10.129.110.80:39088 .UNKNOWN.svr.[Directory-Info.com].net
4 VALID|AUTHEN tcp:10.129.110.80:39089 .UNKNOWN.svr.[Directory-Info.com].net
5 VALID|AUTHEN tcp:10.129.110.80:39090 .UNKNOWN.svr.[Directory-Info.com].net
6 VALID|AUTHEN tcp:10.129.110.80:39093 .UNKNOWN.svr.[Directory-Info.com].net
7 VALID tcp:10.129.110.80:39107
8 VALID tcp:10.129.110.80:39108
9 VALID tcp:10.129.110.80:39109
...
30 VALID|AUTHEN Local Connection .GQVRMW.VRU.CardServices.Applications.[Directory-Info.com].net
31 VALID|AUTHEN Local Connection .GQVRMW.VRU.CardServices.Applications.[Directory-Info.com].net
32 VALID|AUTHEN Local Connection .GQVRMW.VRU.CardServices.Applications.[Directory-Info.com].net
33 VALID|AUTHEN Local Connection .GQVRMW.VRU.CardServices.Applications.[Directory-Info.com].net
34 VALID|AUTHEN Local Connection .GQVRMW.VRU.CardServices.Applications.[Directory-Info.com].net
35 VALID|AUTHEN Local Connection .GQVRMW.VRU.CardServices.Applications.[Directory-Info.com].net
36 VALID|AUTHEN Local Connection .GQVRMW.VRU.CardServices.Applications.[Directory-Info.com].net
37 VALID|AUTHEN Local Connection .GQVRMW.VRU.CardServices.Applications.[Directory-Info.com].net
The connection showing "Local Connection" are LDAP connections. Those showing "TCP:..." are NCP connections.
Different with 8.8.X#
With 8.81 we see:
ndstrace -c connections
[1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf: francis.dc=svr.dc=willeke.dc=com.WILLEKETREE
Connection Table Information:
Allocated Connections: 64
1 VALID|AUTHEN tcp:192.168.1.4:33430 .francis.svr.willeke.com
2 VALID|AUTHEN tcp:192.168.1.4:33431 .francis.svr.willeke.com
3 VALID|AUTHEN tcp:192.168.1.4:33432 .anonymous.administration.willeke.com
4 VALID tcp:192.168.1.4:33434
5 VALID|AUTHEN tcp:192.168.1.4:43630 .admin.administration.willeke.com
6 VALID tcp:192.168.1.4:33436
7 VALID|AUTHEN tcp:192.168.1.4:45004 .admin.administration.willeke.com
8 VALID tcp:192.168.1.4:45007
9 VALID|AUTHEN tcp:192.168.1.2:1205 .SH.svr.willeke.com
10 VALID tcp:192.168.1.2:1206
13 VALID tcp:192.168.1.4:33450
Which is more depressing as the LDAP connections are shown only by the server IP address.
To see LDAP IP Connections try:#
netstat -a|grep ldap tcp 0 0 *:ldap *:* LISTEN tcp 0 0 *:ldaps *:* LISTEN tcp 0 0 francis.svr.willek:ldap 192.168.1.121:ratio-adp ESTABLISHED tcp 0 0 francis.svr.wille:ldaps 192.168.:isoipsigport-2 ESTABLISHEDThis will show the IP Addresses via LDAP to a Solaris or Linux server.
The *:ldap and *:ldaps shows that the server is listening for connections for LDAP and LDAPS.
Currently there is no method we are aware to see both the userid and the IP Address for connections via LDAP.
To Show NDS Modules loaded#
# ndstrace -c modules [1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf: francis.dc=svr.dc=wil leke.dc=com.WILLEKETREE snmpinst Not Loaded snmp-0 Not Loaded repair Not Loaded pkiinst Not Loaded nmasldap Running nmasinst Not Loaded ndsinfo Not Loaded ndsclone Not Loaded Directory Clone Agent For Novell eDirect ory 8.8 SP1 merge Not Loaded lsss Running ldapxs Running krbpwd Not Loaded dstrace Not Loaded Trace For Novell eDirectory 8.8 SP1 dsr Not Loaded dsi Not Loaded dsbk Not Loaded backupcr Running auditds Running ssncp Running pkiserver Running Novell Certificate Server sasl Running [ nldap ] statuslg Running [ embox ] embox Running eDirectory Management Tool Box Engine sss Running [ ssldp ssncp ] ssldp Running [ nldap ] spmdclnt Running nmas Running [ sasl ] imon Running NDS iMonitor 2.4 for Novell eDirectory v20111.59 nldap Running LDAP Agent for Novell eDirectory 8.8 SP1 hconserv Running HTTP Console Server For Novell eDirectory 8.8 SP 1 snmp Running SNMP Trap Server for Novell eDirectory 8.8.1 gams Running Graded Authentication Management Service niciext Running SDI/SASDFM Transport Service httpstk Running HTTP Protocol Stack For Novell eDirectory 8.8 SP 1 [ nds hconserv imon embox ] nds Running Directory Agent For Novell eDirectory 8.8 SP1 masv Running Mandatory Access Control Service [ gams ] dsloader Running Loader Services For Novell eDirectory 8.8 SP1 [ httpstk hconserv nldap ] dhlog Running DHost message logging module for Novell eDirecto ry 8.8 SP1 ncpengine Running NCP Protocol Stack For Novell eDirectory 8.8 SP1 ndsd Running Novell eDirectory 8.8 SP1 Host Environment
Operations when command line#
These commands will setup ndstrace to watch LDAP only:ndstrace -l > /tmp/ndstrace.log & ndstrace -c 'set dstrace=nodebug' ndstrace -c 'set ndstrace=FILE ON' ndstrace -c 'set ndstrace=*R' ndstrace -c 'dstrace +time +tags +ldap' less /tmp/ndstrace.log
For EDirectory Multiple Instances this may work.
ndstrace -l --config-file /data/nds/ext/nds.conf > /data/nds/ext/097-ndstrace.log & ndstrace -c 'set dstrace=nodebug' --config-file /data/nds/ext/nds.conf ndstrace -c 'set ndstrace=FILE ON' --config-file /data/nds/ext/nds.conf ndstrace -c 'set ndstrace=*R' --config-file /data/nds/ext/nds.conf ndstrace -c 'dstrace +time +tags +ldap' --config-file /data/nds/ext/nds.conf
These commands will setup ndstrace to watch DirXML only:
ndstrace -l > /tmp/ndstrace.log & ndstrace -c 'set dstrace=nodebug' ndstrace -c 'set ndstrace=FILE ON' ndstrace -c 'set ndstrace=*R' ndstrace -c 'dstrace +time +tags +dvrs' less /tmp/ndstrace.log
These commands will setup ndstrace to check synchronization:
ndstrace -l > /tmp/ndstrace.log & ndstrace -c 'set dstrace=nodebug' ndstrace -c 'set ndstrace=FILE ON' ndstrace -c 'dstrace +SKLK' ndstrace -c 'set ndstrace=*H' less /tmp/ndstrace.log |grep 'All processed = 'If there are no errors, all lines will display 'All Processed = Yes.'
These commands will setup ndstrace to check SCHEMA synchronization:
ndstrace -l > /tmp/ndstrace.log & ndstrace -c 'set dstrace=nodebug' ndstrace -c 'set ndstrace=FILE ON' ndstrace -c 'dstrace +SCMA' ndstrace -c 'dstrace +SCMD' ndstrace -c 'set ndstrace=*SS' less /tmp/ndstrace.logIf there are no errors, all lines will display 'All Processed = Yes.'
To Exit command-line process use
ndstrace -u
LDAP Trace Only#
Chain commands to get what you want. This turns the screen on, all traces off and then turns LDAP onndstrace; ndstrace file on;set ndstrace =NODEBUG;set ndstrace =+LDAP
ndstrace #
Enable skulker messages#
Enables skulker messages, and schedules the replica synchronization process to start immediately on the server.ndstrace -c "ndstrace +sklk; set ndstrace=*h"
NMAS Trace#
For NMAS changes on a server: http://www.novell.com/support/viewContent.do?externalId=3815371Force Immediate Synchronization#
You can Force Immediate Synchronization with ndstrace.ndstrace.log#
Refer to the /var/nds/ndstrace.log file for more information.Turn File logging On#
ndstrace; ndstrace file on
Set the log file size:#
set ndstrace=*M<size_in_bytes>
Reset Log file:#
set ndstrace=*R
Checking NDS Obituaries#
ndsrepair -C -Ad -A
